Solved

User's My Documents folder Redirection and Administrator Access

Posted on 2009-03-31
8
609 Views
Last Modified: 2012-05-06
I need to move our user folders in a Win2k3 domain over to a new file server.  It looks as if the GPO to setup folder redirection at one point must have had the Grant user exclusive rights option either enabled or not configured, as I am runing into hundreds of folders that I cannot access as the users are the only ones that have access to them.  The GPO is not set that way now, but the folder permissions apparently do not get updated.  I can go in individually to these folders, take ownership, and then reset the permissions to gain access to them.  Does anyone know of a scripted way, or something, to do this across the board, without messing up the permissions as they are now??
0
Comment
Question by:jvincent9
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 27

Expert Comment

by:bluntTony
ID: 24028241
You can change the owner for the top level folder (i.e. the shared folder), and check 'Replace owner on subcontainers and objects'. This will make you then owner of all sub-objects.
Once you have given yourself ownership, you can then grant yourself the required permissions to the top folder, also checking the 'Replace permissions entries on all child objects...' checkbox.
You'll then have permissions to move/edit all the sub folders of the main shared folder. Failing this you could script it, but this should work I think.
0
 

Author Comment

by:jvincent9
ID: 24028735
I have looked into that route...  From what I have seen doing a folder at a time thus far, when I take ownership of the top level folder (the users folder in this case, to get ownership of their My Documents subfolder), it wants to grant the owner exlusive rights to the My Documents folder because I currently don't have access to it...  This will blow the users permissions away, and then I need to go back up to the level of the user's folder, and re-apply the permissions down so they get access back to their My Documents folder...  Is that making sense?
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24028830
Changing yourself to the owner won't affect the user's permissions - this just allows you to then edit the permissions. You can then add yourself in to the ACL with the required permissions, still leaving the user's permissions intact.
If you do this on the root folder (the one that is shared - you'll need to log on the server to do this locally or via RDP), change owner/apply the permissions to all sub-objects as described above - you should be in business.
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:jvincent9
ID: 24030817
here is what I mean...  Admin group is already the owner of each user folder.  We have a My Documents folder under each of those that is the redirected user folder that we don't have permissions to...  See screenshot attachment.  When trying to filter the ownership down to the subfolders, I am presented with this.  If I say Yes, it replaces all permissions, and just adds the admin group with full control, removing the user's permissions.  I can then go back up to the user root folder, and push the permissions back down, and that is OK...  But I'm dealing with possibly a few thousand user folders that are affected this way...
owner.jpg
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24031527
OK, how about running a backup job to make a copy of the folders. Schedule an NTBackup job to back the folders up using the context of a user you have placed in the 'Backup Operators' local group on the file server.
You can then restore to the new server - worth testing on a handful first.
Either that, or you could apply the permissions under the SYSTEM context, scripting the use of cacls during a startup script would do it, be this seems a bit convoluted. I'd try the backup.
0
 

Author Comment

by:jvincent9
ID: 24031988
any idea on how to run a script under the system context?  I might actually give that a try first based on the amount of data that I would need to restore from a backup...  I already have some cacls.exe scripts that I could tweak if I could just run them as a user that can modify the folder/file ACLs.
0
 
LVL 27

Accepted Solution

by:
bluntTony earned 500 total points
ID: 24037550
You can open a cmd window in the SYSTEM context using the following method. It's not the best but it works. You have to run this locally on the machine, not from an RDP session as the cmd window will only open on the console session:
From the command prompt, type:
sc create testsvc binpath= "cmd /K start" type= own type= interact
..this creates a service called 'testsvc' which opens the command prompt in the SYSTEM context. To start the service:
sc start testsvc
...you'll get an error message saying that the service failed to start in a timely fashion, but a cmd window will pop up. A quick check in Task manager will show the process as running under the SYSTEM context. You can then launch this service each time you need to do this.
Try and runn cacls in this cmd window...
0
 

Author Closing Comment

by:jvincent9
ID: 31564782
Coolest solution ever!  Thanks bluntTony!  Within the cmd running as System I am able to inject the administrators group to the ACL of all user folders now.  Awesome solution!!!  Thanks again!
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article runs through the process of deploying a single EXE application selectively to a group of user.
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question